aboutsummaryrefslogtreecommitdiffstats
path: root/NEWS
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2005-10-29 14:03:35 +0000
committerMatthias Andree <matthias.andree@gmx.de>2005-10-29 14:03:35 +0000
commit71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7 (patch)
treee47ac8f9936bfb57c3a09eb217b105d31f898d55 /NEWS
parent68e2e0521de07dc8b6fed01b0608496f2569c090 (diff)
downloadfetchmail-71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7.tar.gz
fetchmail-71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7.tar.bz2
fetchmail-71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7.zip
Clean up SECURITY FIXES section.
svn path=/trunk/; revision=4371
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS12
1 files changed, 6 insertions, 6 deletions
diff --git a/NEWS b/NEWS
index a794a196..bb06e1b0 100644
--- a/NEWS
+++ b/NEWS
@@ -9,15 +9,15 @@ Abbreviations: MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk)
fetchmail 6.3.0 (not yet released officially):
-# SECURITY FIX
-* The POP3 UIDL code doesn't sufficiently validate/truncate the input
+# SECURITY FIXES IN THIS RELEASE
+* CVE-2005-2335: The POP3 UIDL code doesn't sufficiently validate/truncate the input
length, so a (malicious or compromised) server that sends UIDs longer
than 128 bytes can corrupt fetchmail's stack and crash fetchmail.
This vulnerability is remotely exploitable to inject code run in a
- root shell. This is tracked under the CVE Name: CAN-2005-2335
-* fetchmailconf now changes the output file to mode 0600 BEFORE writing to it,
- so there is no window where passwords could be read by the world.
- Matthias Andree.
+ root shell. Edward J. Shornock, Ludwig Nussel. fetchmail-SA-2005-01.txt
+* CVE-2005-3088: fetchmailconf now changes the output file to mode 0600 BEFORE
+ writing to it, so there is no window where passwords could be read by the
+ world. Matthias Andree. fetchmail-SA-2005-02.txt
# MAJOR INCOMPATIBLE CHANGES
* Remove support for --netsec/-T options, the required inet6_apps library is no